Afraid of system being compromised - is true? how to solve? Newbie
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Afraid of system being compromised - is true? how to solve? Newbie
Hello,
PART 1:
There are two computers. Computer A uses openSuse and it is usually used for common tasks (not risk at all), suddenly, one day some "markers" from Mozilla Firefox were modified but not by the legitimate users. The firewall rules were for the Eth0 (unique interface) in External zone, and the router is connected directly to the DSL line (no other computers in LAN).
The modification in the markers of Firefox is not possible to be done by us, is not so easy to do it by error, because the markers where modified specifically in a tree of folders, deleting two URL markers and adding other two.
I know by the language and the context of the new URL that the "intruder" is from my nationality.
The problem is that the legitimate users of the computer just delete both fake URL and add the original ones. After that, they just continue using normally the computer. That day, none of that URL webpages where under attack (like DNS or sth like that and that maybe the auto-refresh, i don't know if it exists, of Firefox just updated both of them in the moment of the attack of the webpages). Also, they didn't say anything about a possible attack. And because is in the markers of Firefox (something that is locally located) I thought was a direct and specified attack to the computer A and its users.
Question A: Was my supposition correct? Or there is still any possibility to be a general attack? I dismiss any possibility of popular worm/virus because the modification of the markers were really specific and on national context.
Question B: What is the best procedure to analyze the source of the attack and how to protect against it? How to know what things have been modified? I think it is weird that the intruder shows himself modified something in the system (like markers in Firefox), so, he/she wants to be known, like a threat.
I have installed and started the Clamav antivirus. I can show so far that there are:
Code:
Windows and Data NTFS partitions (Windows not really used, Data used from Linux):
- hundreds of Heuristics.Encrypted.ZIP (or PDF, RAR), Heuristics.Broken.Executable
- file .htm with Exploit.HTML.MHTRedir.4n
- file .pdf with Exploit.PDF-1745
- file .rar with Trojan.W32.HotKeysHook.A
- 5 files .js with Worm.JS.Redlof.A
Linux (normally used):
- /boot/vmlinux-3.1.10-1.16-desktop.gz Heuristics.Broken.Executable
- /home/userA/Applications/jDownloaders/JDownlaoder/libs/jna.jar Heuristics.Broken.Executable
- /home/userA/.jd/libs/jna.jar Heuristics.Broken.Executable
- /home/userA/.thunderbird/ct5dfrhd.default/training.dat Heuristics.Broken.Executable
- /lib/firmware/vxge/X3fw.ncf Heuristics.Encrypted.Zip
- /lib/firmware/vxge/X3fw-pxe.ncf Heuristics.Encrypted.Zip
In the time the detection was notified, Windows wasn't used in the days before. Therefore, Linux was the O.S. in the time of the intrusion.
Now I have access to the main computerA, were the "intrusion" was done 2 weeks and half ago, but I really don't know what to do and how to proceed. At least I have installed clamav and I have shown the results above.
The problem is that I come with the computerB with ArchLinux, and I needed internet to start checking how to perform with all this. The problem is that after activate eth0 and send dhcp client to get the IP, I get the connection and just after that I saw a really weird behaviour. Suddenly, the computer got a little freeze, well, not really freeze, but slow for some moments, and when I check in terminal what happend, my prompt was modified.
Before was:
ussr@localhost
now:
ussr@unknown002454062846
That put my alarms on, so I quickly disconnect ethernet. Because I don't know how to proceed, and really scared of the situation, I just post the below "captures".
iptables of computerB ( I followed the Arch Linux Simple Stateful Firewall.... I think I got it correctly )
sudo cat /var/log/everything.log [more info maybe]
Code:
Mar 12 21:46:46 localhost dbus[340]: [system] Activating via systemd: service name='org.freedesktop.Avahi' unit='dbus-org.freedesktop.Avahi.service'
Mar 12 21:46:46 localhost dbus[340]: [system] Activation via systemd failed for unit 'dbus-org.freedesktop.Avahi.service': Unit dbus-org.freedesktop.Avahi.service failed to load: No such file or directory. See system logs and 'systemctl status dbus-org.freedesktop.Avahi.service' for details.
Mar 12 21:46:46 localhost dbus-daemon[340]: dbus[340]: [system] Activation via systemd failed for unit 'dbus-org.freedesktop.Avahi.service': Unit dbus-org.freedesktop.Avahi.service failed to load: No such file or directory. See system logs and 'systemctl status dbus-org.freedesktop.Avahi.service' for details.
Mar 12 21:46:55 localhost dbus-daemon[340]: dbus[340]: [system] Activating service name='org.kde.powerdevil.backlighthelper' (using servicehelper)
Mar 12 21:46:55 localhost dbus[340]: [system] Activating service name='org.kde.powerdevil.backlighthelper' (using servicehelper)
Mar 12 21:46:55 localhost org.kde.powerdevil.backlighthelper: QDBusConnection: system D-Bus connection created before QCoreApplication. Application may misbehave.
Mar 12 21:46:55 localhost dbus-daemon[340]: dbus[340]: [system] Successfully activated service 'org.kde.powerdevil.backlighthelper'
Mar 12 21:46:55 localhost dbus[340]: [system] Successfully activated service 'org.kde.powerdevil.backlighthelper'
Mar 12 21:50:43 localhost kernel: [ 282.346749] usb 4-1: USB disconnect, device number 2
Mar 12 21:50:44 localhost kernel: [ 283.346743] usb 1-1: USB disconnect, device number 2
Mar 12 21:50:46 localhost dbus-daemon[340]: dbus[340]: [system] Activating service name='org.kde.powerdevil.backlighthelper' (using servicehelper)
Mar 12 21:50:46 localhost dbus[340]: [system] Activating service name='org.kde.powerdevil.backlighthelper' (using servicehelper)
Mar 12 21:50:46 localhost org.kde.powerdevil.backlighthelper: QDBusConnection: system D-Bus connection created before QCoreApplication. Application may misbehave.
Mar 12 21:50:46 localhost dbus-daemon[340]: dbus[340]: [system] Successfully activated service 'org.kde.powerdevil.backlighthelper'
Mar 12 21:50:46 localhost dbus[340]: [system] Successfully activated service 'org.kde.powerdevil.backlighthelper'
Mar 12 21:50:46 localhost kernel: [ 284.773394] Monitor-Mwait will be used to enter C-3 state
Mar 12 21:50:46 localhost kernel: [ 285.600790] EXT4-fs (sda5): re-mounted. Opts: data=ordered,commit=600
Mar 12 21:51:46 localhost dbus-daemon[340]: dbus[340]: [system] Activating service name='org.kde.powerdevil.backlighthelper' (using servicehelper)
Mar 12 21:51:46 localhost dbus[340]: [system] Activating service name='org.kde.powerdevil.backlighthelper' (using servicehelper)
Mar 12 21:51:46 localhost org.kde.powerdevil.backlighthelper: QDBusConnection: system D-Bus connection created before QCoreApplication. Application may misbehave.
Mar 12 21:51:46 localhost dbus-daemon[340]: dbus[340]: [system] Successfully activated service 'org.kde.powerdevil.backlighthelper'
Mar 12 21:51:46 localhost dbus[340]: [system] Successfully activated service 'org.kde.powerdevil.backlighthelper'
Mar 12 21:52:03 localhost kernel: [ 361.720026] usb 4-1: new low-speed USB device number 3 using uhci_hcd
Mar 12 21:52:03 localhost kernel: [ 362.021197] input: USB Keyboard as /devices/pci0000:00/0000:00:1d.0/usb4/4-1/4-1:1.0/input/input15
Mar 12 21:52:03 localhost kernel: [ 362.021535] hid-generic 0003:05AF:0802.0004: input,hidraw0: USB HID v1.10 Keyboard [ USB Keyboard] on usb-0000:00:1d.0-1/input0
Mar 12 21:52:03 localhost kernel: [ 362.113907] input: USB Keyboard as /devices/pci0000:00/0000:00:1d.0/usb4/4-1/4-1:1.1/input/input16
Mar 12 21:52:03 localhost kernel: [ 362.114113] hid-generic 0003:05AF:0802.0005: input,hidraw1: USB HID v1.10 Device [ USB Keyboard] on usb-0000:00:1d.0-1/input1
Mar 12 21:52:03 localhost dbus-daemon[340]: dbus[340]: [system] Activating service name='org.kde.powerdevil.backlighthelper' (using servicehelper)
Mar 12 21:52:03 localhost dbus[340]: [system] Activating service name='org.kde.powerdevil.backlighthelper' (using servicehelper)
Mar 12 21:52:04 localhost org.kde.powerdevil.backlighthelper: QDBusConnection: system D-Bus connection created before QCoreApplication. Application may misbehave.
Mar 12 21:52:04 localhost dbus-daemon[340]: dbus[340]: [system] Successfully activated service 'org.kde.powerdevil.backlighthelper'
Mar 12 21:52:04 localhost dbus[340]: [system] Successfully activated service 'org.kde.powerdevil.backlighthelper'
Mar 12 21:53:36 localhost dbus-daemon[340]: dbus[340]: [system] Activating service name='org.kde.powerdevil.backlighthelper' (using servicehelper)
Mar 12 21:53:36 localhost dbus[340]: [system] Activating service name='org.kde.powerdevil.backlighthelper' (using servicehelper)
Mar 12 21:53:36 localhost org.kde.powerdevil.backlighthelper: QDBusConnection: system D-Bus connection created before QCoreApplication. Application may misbehave.
Mar 12 21:53:36 localhost dbus-daemon[340]: dbus[340]: [system] Successfully activated service 'org.kde.powerdevil.backlighthelper'
Mar 12 21:53:36 localhost dbus[340]: [system] Successfully activated service 'org.kde.powerdevil.backlighthelper'
Mar 12 21:53:36 localhost kernel: [ 455.631890] EXT4-fs (sda5): re-mounted. Opts: data=ordered,commit=0
Mar 12 21:54:15 localhost kernel: [ 494.630014] usb 1-1: new low-speed USB device number 3 using uhci_hcd
Mar 12 21:54:16 localhost kernel: [ 494.819169] input: Logitech USB Optical Mouse as /devices/pci0000:00/0000:00:1a.0/usb1/1-1/1-1:1.0/input/input17
Mar 12 21:54:16 localhost kernel: [ 494.819483] hid-generic 0003:046D:C05B.0006: input,hidraw2: USB HID v1.11 Mouse [Logitech USB Optical Mouse] on usb-0000:00:1a.0-1/input0
Mar 12 21:56:16 localhost kernel: [ 615.359568] sky2 0000:06:00.0 eth0: enabling interface
Mar 12 21:56:16 localhost kernel: [ 615.359925] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
Mar 12 21:56:18 localhost kernel: [ 617.200722] sky2 0000:06:00.0 eth0: Link is up at 100 Mbps, full duplex, flow control rx
Mar 12 21:56:18 localhost kernel: [ 617.200761] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
Mar 12 21:57:01 localhost kernel: [ 659.837395] sky2 0000:06:00.0 eth0: Link is down
Mar 12 21:57:03 localhost kernel: [ 662.485483] sky2 0000:06:00.0 eth0: Link is up at 100 Mbps, full duplex, flow control rx
Mar 12 21:58:03 localhost dhcpcd[1072]: version 5.6.4 starting
Mar 12 21:58:03 localhost kernel: [ 722.424132] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
Mar 12 21:58:03 localhost dhcpcd[1072]: eth0: sending IPv6 Router Solicitation
Mar 12 21:58:03 localhost dhcpcd[1072]: eth0: broadcasting for a lease
Mar 12 21:58:03 localhost dhcpcd[1072]: wlan0: waiting for carrier
Mar 12 21:58:03 localhost dhcpcd[1072]: wlan0: carrier acquired
Mar 12 21:58:03 localhost dhcpcd[1072]: wlan0: carrier lost
Mar 12 21:58:03 localhost dhcpcd[1072]: wlan0: waiting for carrier
Mar 12 21:58:04 localhost dhcpcd[1072]: eth0: offered 192.168.1.35 from 192.168.1.1
Mar 12 21:58:04 localhost dhcpcd[1072]: eth0: acknowledged 192.168.1.35 from 192.168.1.1
Mar 12 21:58:04 localhost dhcpcd[1072]: eth0: checking for 192.168.1.35
Mar 12 21:58:07 localhost dhcpcd[1072]: eth0: sending IPv6 Router Solicitation
Mar 12 21:58:10 localhost dhcpcd[1072]: eth0: leased 192.168.1.35 for 43200 seconds
Mar 12 21:58:10 localhost dhcpcd[1072]: forked to background, child pid 1119
Mar 12 21:58:11 localhost dhcpcd[1119]: eth0: sending IPv6 Router Solicitation
Mar 12 21:58:15 localhost dhcpcd[1119]: eth0: sending IPv6 Router Solicitation
Mar 12 21:58:15 localhost dhcpcd[1119]: eth0: no IPv6 Routers available
Mar 12 21:59:33 localhost kernel: [ 812.425190] konsole[1156]: segfault at 84 ip b73128d4 sp bf9e00c0 error 4 in libkdeui.so.5.10.0[b6fcb000+42b000]
Mar 12 21:59:33 localhost systemd-coredump[1158]: Process 1156 (konsole) dumped core.
Mar 12 21:59:47 localhost kernel: [ 826.338582] konsole[1164]: segfault at 84 ip b761e8d4 sp bfb066b0 error 4 in libkdeui.so.5.10.0[b72d7000+42b000]
Mar 12 21:59:48 localhost systemd-coredump[1165]: Process 1164 (konsole) dumped core.
Mar 12 22:00:32 localhost kernel: [ 870.727165] konsole[1174]: segfault at 84 ip b761e8d4 sp bfb066b0 error 4 in libkdeui.so.5.10.0[b72d7000+42b000]
Mar 12 22:00:32 localhost systemd-coredump[1175]: Process 1174 (konsole) dumped core.
Mar 12 22:01:01 localhost systemd[1]: Starting Cleanup of Temporary Directories...
Mar 12 22:01:01 localhost CROND[1186]: (root) CMD (run-parts /etc/cron.hourly)
Mar 12 22:01:01 localhost anacron[1192]: Anacron started on 2013-03-12
Mar 12 22:01:01 localhost anacron[1192]: Normal exit (0 jobs run)
Mar 12 22:01:01 localhost systemd[1]: Started Cleanup of Temporary Directories.
Mar 12 22:01:04 localhost kernel: [ 902.743018] konsole[1196]: segfault at 84 ip b761e8d4 sp bfb066b0 error 4 in libkdeui.so.5.10.0[b72d7000+42b000]
Mar 12 22:01:04 localhost systemd-coredump[1197]: Process 1196 (konsole) dumped core.
Mar 12 22:01:21 localhost dbus[340]: [system] Activating service name='org.kde.powerdevil.backlighthelper' (using servicehelper)
Mar 12 22:01:21 localhost org.kde.powerdevil.backlighthelper: QDBusConnection: system D-Bus connection created before QCoreApplication. Application may misbehave.
Mar 12 22:01:21 localhost dbus[340]: [system] Successfully activated service 'org.kde.powerdevil.backlighthelper'
Mar 12 22:01:22 localhost dbus[340]: [system] Activating via systemd: service name='org.freedesktop.Avahi' unit='dbus-org.freedesktop.Avahi.service'
Mar 12 22:01:22 localhost dbus[340]: [system] Activation via systemd failed for unit 'dbus-org.freedesktop.Avahi.service': Unit dbus-org.freedesktop.Avahi.service failed to load: No such file or directory. See system logs and 'systemctl status dbus-org.freedesktop.Avahi.service' for details.
Mar 12 22:01:26 localhost dbus-daemon[340]: dbus[340]: [system] Activating service name='org.kde.powerdevil.backlighthelper' (using servicehelper)
Mar 12 22:01:26 localhost dbus-daemon[340]: dbus[340]: [system] Successfully activated service 'org.kde.powerdevil.backlighthelper'
Mar 12 22:01:26 localhost dbus-daemon[340]: dbus[340]: [system] Activating via systemd: service name='org.freedesktop.Avahi' unit='dbus-org.freedesktop.Avahi.service'
Mar 12 22:01:26 localhost dbus-daemon[340]: dbus[340]: [system] Activation via systemd failed for unit 'dbus-org.freedesktop.Avahi.service': Unit dbus-org.freedesktop.Avahi.service failed to load: No such file or directory. See system logs and 'systemctl status dbus-org.freedesktop.Avahi.service' for details.
Mar 12 22:01:46 localhost dhcpcd[1119]: eth0: carrier lost
Mar 12 22:01:46 localhost kernel: [ 945.353892] sky2 0000:06:00.0 eth0: Link is down
I have checked in .bashrc and the prompt is still:
PS1='[\u@\h \W]\$ '
And \h means hostname... And if I check in /etc/hosts:
127.0.0.1 localhost.localdomain localhost
::1 localhost.localdomain localhost
So, something is wrong..
I don't know how to proceed, nor in the computer A, neither in the computer B.
Question C: Is possible to have any mechanism to know every file that is modified, add or delete on the whole system? Something like the log but for every file? I think is the only way to know what is going on.
ZZipo, I have sent you a private message regarding your situation. We at LQSecurity will certainly help you with this situation. Please try to disturb the situations as little as possible and avoid rebooting, etc.
Would you please tell me what distribution your running, an estimate of the patch level (how judicious have you been in performing updates), what server processes you are running, if you are running any control panels such as plesk, etc.
I would also ask that you please run the following command as root to capture a process tree, open file list, and network connection status:
Please obtain copies of your log files and transfer them to a safe location. I would like to ask how far back your log files go and do they predate the suspected compromise? Are you familiar with the logwatch utility? Please obtain it and run it with the following options
Code:
--detail High --service All --range All --archives --numeric --save /path/to/logwatch.log
These commands should be run as root. The two coammands above will create a file called output.log in your /tmp folder and a file called logwatch.log. We will need to evaluate the output of these commands to gather information regarding the state of your system. We can make arrangements for you to either upload them or email them to us for analysis.
While you are obtaining this information, I will review what you have posted above and get back with you as soon as possible. Lastly, I would like for you to review the dated, but still valid, CERT Intruder Detection Checklist as it will give you an idea of the steps involved in investigating your situation. In essence, we will gather information regarding what is running on the system, open network connections, history information, look for hidden and modified files.
Here is some follow up information for you. First, about computer A. Clamav is pretty good at detecting Windows viruses. It is not likely to tell you much about Linux infections, though. The Heuristics.Broken.Executable which you are getting on both systems means that the scanner has trouble following the executable machine code. See this thread from Ubuntu's Launchpad bug system regarding this message. Apparently this heuristic was intended to be a form of mail worm scanner. It does look like there is some garbage on the Windows system. I haven't investigated these items yet, but that is one thing we should check, however, Windows tends to ignore non Windows drive partitions and I doubt that Windows malware would take over a Linux system on the machine. It is more likely to have an issue directly with it.
On computer A, when you say connected directly to DSL is there a router in between and when you connected computer B was it in the same LAN or directly connceted to the DSL? I am curious as to where the DHCP server connection originated.
My suspicion is that no, it is unlikely that the markers (bookmarks?) in Firefox would have been accidentally modified in the manner you describe without some form of intrusion. Have a look at this page from Mozilla support which discusses where the marker files are stored. This gives us an idea of an area to investigate.
Your firewall settings look ok and indicate that your not running any server process. This is good and helps to limit your exposure. You will still need to investigate this machine THOROUGHLY. I understand your concerns with what happened with machine B, lets discuss that now.
One thing I would suggest you do is look at your /etc/dhcp/dhclient.conf. One of the things that is possible is to get the hostname via DHCP and it looks like the hostname was changed on your system. This can also have side effects and from googling this function it looks like the underlying X window system and display managers don't take kindly to it. Do you have a request line with host-name in it? If so, this is probably what happened. You can also look at your /etc/hostname file to see what is in there.
Looking at the log files, you can see where your system obtained a DHCP lease. Immediatly following this part of your KDE system crashed, "konsole[1156]: segfault at 84 ip b73128d4" Note the pid number 1156. Pids in this range are missing in your process list, but are immediately followed by /usr/bin/X :0 vt7 -nolisten tcp -auth /var/run/xauth/A:0-WnL9Aa, which looks like a restart of X, fitting with the theory that changing hostname conflicts with the display manager. The pause you saw was likely this crashing, restarting, and trying to generate a core dump.
Looking over your process list, I don't see anything particularly out of the ordinary. The -:0 with the PID immediately following the restart of X is a little odd, but I think it is part of the X system. The only thing I can see out of the ordinary on the process list is that your running KDE with some Gnome3 process, e.g. /etc/at-spi2/accessibility.conf and the following two lines. Googling these process pull up information about Arch packages and having both KDE and Gnome libraries and applications on the same system is not uncommon. I don't think that there is anything malicious about it.
So, as it stands, you still need to investigate computer A. I think we have a good theory as to what happened when you tried to connect with computer B. I would recommend that you change the network settings to use a static IP instead of DHCP next time you connect. You can also use a livecd for extra precaution as that can't be permanently written. The commands I provided earlier should be run in investigating machine A and we should start by capturing information about it.
redirecting to systemctl
SuSEfirewall2_init.service - LSB: SuSEfirewall2 phase 1
Loaded: loaded (/etc/init.d/SuSEfirewall2_init)
Active: active (exited) since Tue, 12 Mar 2013 19:09:30 +0000; 14h ago
Process: 938 ExecStart=/etc/init.d/SuSEfirewall2_init start (code=exited, status=0/SUCCESS)
CGroup: name=systemd:/system/SuSEfirewall2_init.service
Checking the status of SuSEfirewall2 running
redirecting to systemctl
acpid.service - ACPI Event Daemon
Loaded: loaded (/lib/systemd/system/acpid.service; enabled)
Active: active (running) since Tue, 12 Mar 2013 19:09:30 +0000; 14h ago
Process: 993 ExecStart=/sbin/acpid (code=exited, status=0/SUCCESS)
Main PID: 994 (acpid)
CGroup: name=systemd:/system/acpid.service
└ 994 /sbin/acpid
redirecting to systemctl
alsa-restore.service - Restore Sound Card State
Loaded: loaded (/lib/systemd/system/alsa-restore.service; static)
Active: inactive (dead) since Tue, 12 Mar 2013 19:09:29 +0000; 14h ago
Process: 909 ExecStart=/usr/sbin/alsactl restore (code=exited, status=0/SUCCESS)
CGroup: name=systemd:/system/alsa-restore.service
redirecting to systemctl
atd.service - LSB: Start AT batch job daemon
Loaded: loaded (/etc/init.d/atd)
Active: inactive (dead)
CGroup: name=systemd:/system/atd.service
redirecting to systemctl
autofs.service - LSB: automatic mounting of filesystems
Loaded: loaded (/etc/init.d/autofs)
Active: inactive (dead)
CGroup: name=systemd:/system/autofs.service
redirecting to systemctl
avahi-daemon.service - Avahi mDNS/DNS-SD Stack
Loaded: loaded (/lib/systemd/system/avahi-daemon.service; enabled)
Active: active (running) since Tue, 12 Mar 2013 19:09:30 +0000; 14h ago
Main PID: 1010 (avahi-daemon)
Status: "Server startup complete. Host name is linux-7sgr.local. Local service cookie is 198690539."
CGroup: name=systemd:/system/avahi-daemon.service
└ 1010 avahi-daemon: running [linux-7sgr.local]
redirecting to systemctl
avahi-dnsconfd.service - Avahi DNS Configuration Daemon
Loaded: loaded (/lib/systemd/system/avahi-dnsconfd.service; disabled)
Active: inactive (dead)
CGroup: name=systemd:/system/avahi-dnsconfd.service
redirecting to systemctl
bluez-coldplug.service - LSB: handles udev coldplug of bluetooth dongles
Loaded: loaded (/etc/init.d/bluez-coldplug)
Active: active (exited) since Tue, 12 Mar 2013 19:09:52 +0000; 14h ago
Process: 3920 ExecStart=/etc/init.d/bluez-coldplug start (code=exited, status=0/SUCCESS)
CGroup: name=systemd:/system/bluez-coldplug.service
redirecting to systemctl
cgroup.service
Loaded: masked (/dev/null)
Active: inactive (dead)
redirecting to systemctl
systemd-tmpfiles-setup.service - Recreate Volatile Files and Directories
Loaded: loaded (/lib/systemd/system/systemd-tmpfiles-setup.service; static)
Active: active (exited) since Tue, 12 Mar 2013 19:09:29 +0000; 14h ago
Process: 906 ExecStart=/bin/systemd-tmpfiles --create --remove (code=exited, status=0/SUCCESS)
CGroup: name=systemd:/system/systemd-tmpfiles-setup.service
redirecting to systemctl
clock.service
Loaded: masked (/dev/null)
Active: inactive (dead)
redirecting to systemctl
crypto.service
Loaded: masked (/dev/null)
Active: inactive (dead)
redirecting to systemctl
crypto-early.service
Loaded: masked (/dev/null)
Active: inactive (dead)
redirecting to systemctl
cycle.service - LSB: Set default boot entry if called
Loaded: loaded (/etc/init.d/boot.cycle)
Active: active (exited) since Tue, 12 Mar 2013 19:09:19 +0000; 14h ago
Process: 470 ExecStart=/etc/init.d/boot.cycle start (code=exited, status=6/NOTCONFIGURED)
CGroup: name=systemd:/system/cycle.service
redirecting to systemctl
device-mapper.service
Loaded: masked (/dev/null)
Active: inactive (dead)
Warning: Unit file changed on disk, 'systemctl --system daemon-reload' recommended.
redirecting to systemctl
dmraid.service - LSB: start dmraid
Loaded: loaded (/etc/init.d/boot.dmraid)
Active: inactive (dead)
CGroup: name=systemd:/system/dmraid.service
redirecting to systemctl
klog.service - Early Kernel Boot Messages
Loaded: loaded (/lib/systemd/system/klog.service; disabled)
Active: inactive (dead)
CGroup: name=systemd:/system/klog.service
redirecting to systemctl
ldconfig.service
Loaded: masked (/dev/null)
Active: inactive (dead)
redirecting to systemctl
loadmodules.service
Loaded: masked (/dev/null)
Active: inactive (dead)
Warning: Unit file changed on disk, 'systemctl --system daemon-reload' recommended.
redirecting to systemctl
localfs.service - Shadow /etc/init.d/boot.localfs
Loaded: loaded (/lib/systemd/system/localfs.service; static)
Active: inactive (dead)
CGroup: name=systemd:/system/localfs.service
redirecting to systemctl
localnet.service - LSB: setup hostname and yp
Loaded: loaded (/etc/init.d/boot.localnet)
Active: active (exited) since Tue, 12 Mar 2013 19:09:20 +0000; 14h ago
Process: 503 ExecStart=/etc/init.d/boot.localnet start (code=exited, status=0/SUCCESS)
CGroup: name=systemd:/system/localnet.service
redirecting to systemctl
lvm.service - LSB: start logical volumes
Loaded: loaded (/etc/init.d/boot.lvm)
Active: inactive (dead)
CGroup: name=systemd:/system/lvm.service
redirecting to systemctl
lvm_monitor.service - LSB: start monitoring of LVM VGs now filesystems are mounted rw
Loaded: loaded (/etc/init.d/boot.lvm_monitor)
Active: inactive (dead)
CGroup: name=systemd:/system/lvm_monitor.service
redirecting to systemctl
md.service - LSB: Multiple Device RAID
Loaded: loaded (/etc/init.d/boot.md)
Active: inactive (dead)
CGroup: name=systemd:/system/md.service
redirecting to systemctl
multipath.service - LSB: Create multipath device targets
Loaded: loaded (/etc/init.d/boot.multipath)
Active: inactive (dead)
CGroup: name=systemd:/system/multipath.service
redirecting to systemctl
fsck-root.service - File System Check on Root Device
Loaded: loaded (/lib/systemd/system/fsck-root.service; static)
Active: inactive (dead)
start condition failed at Tue, 12 Mar 2013 19:09:19 +0000; 14h ago
CGroup: name=systemd:/system/fsck-root.service
redirecting to systemctl
swap.service
Loaded: masked (/dev/null)
Active: inactive (dead)
redirecting to systemctl
systemd-sysctl.service - Apply Kernel Variables
Loaded: loaded (/lib/systemd/system/systemd-sysctl.service; static)
Active: active (exited) since Tue, 12 Mar 2013 19:09:20 +0000; 14h ago
Process: 528 ExecStart=/lib/systemd/systemd-sysctl (code=exited, status=0/SUCCESS)
CGroup: name=systemd:/system/systemd-sysctl.service
redirecting to systemctl
udev.service - udev Kernel Device Manager
Loaded: loaded (/lib/systemd/system/udev.service; static)
Active: active (running) since Tue, 12 Mar 2013 19:09:19 +0000; 14h ago
Main PID: 471 (udevd)
CGroup: name=systemd:/system/udev.service
├ 471 /sbin/udevd
├ 643 /sbin/udevd
└ 644 /sbin/udevd
redirecting to systemctl
cifs.service - LSB: Import remote SMB/ CIFS (MS Windows) file systems
Loaded: loaded (/etc/init.d/cifs)
Active: inactive (dead)
CGroup: name=systemd:/system/cifs.service
redirecting to systemctl
clamav-milter.service - LSB: milter compatible mail scanner
Loaded: loaded (/etc/init.d/clamav-milter)
Active: inactive (dead)
CGroup: name=systemd:/system/clamav-milter.service
redirecting to systemctl
clamd.service - LSB: virus scanner daemon
Loaded: loaded (/etc/init.d/clamd)
Active: inactive (dead)
CGroup: name=systemd:/system/clamd.service
redirecting to systemctl
cpufreq.service - LSB: CPUFreq modules loader
Loaded: loaded (/etc/init.d/cpufreq)
Active: active (exited) since Tue, 12 Mar 2013 19:09:29 +0000; 14h ago
Process: 916 ExecStart=/etc/init.d/cpufreq start (code=exited, status=0/SUCCESS)
CGroup: name=systemd:/system/cpufreq.service
redirecting to systemctl
cron.service - Command Scheduler
Loaded: loaded (/lib/systemd/system/cron.service; enabled)
Active: active (running) since Tue, 12 Mar 2013 19:09:52 +0000; 14h ago
Main PID: 3923 (cron)
CGroup: name=systemd:/system/cron.service
└ 3923 /usr/sbin/cron -n
redirecting to systemctl
cups.service - LSB: CUPS printer daemon
Loaded: loaded (/etc/init.d/cups)
Active: active (running) since Tue, 12 Mar 2013 19:09:30 +0000; 14h ago
Process: 1062 ExecStart=/etc/init.d/cups start (code=exited, status=0/SUCCESS)
CGroup: name=systemd:/system/cups.service
└ 1199 /usr/sbin/cupsd -C /etc/cups/cupsd.conf
redirecting to systemctl
dbus.service - D-Bus System Message Bus
Loaded: loaded (/lib/systemd/system/dbus.service; static)
Active: active (running) since Tue, 12 Mar 2013 19:09:30 +0000; 14h ago
Process: 1024 ExecStartPre=/bin/rm -f /var/run/dbus/pid (code=exited, status=0/SUCCESS)
Process: 1003 ExecStartPre=/bin/dbus-uuidgen --ensure (code=exited, status=0/SUCCESS)
Main PID: 1043 (dbus-daemon)
CGroup: name=systemd:/system/dbus.service
├ 1043 /bin/dbus-daemon --system --address=systemd: --nofork --systemd-activation
├ 1801 /usr/lib/polkit-1/polkitd --no-debug
├ 2576 /usr/lib/upower/upowerd
├ 2624 /usr/lib/udisks/udisks-daemon
├ 2625 udisks-daemon: not polling any devices
└ 3295 /usr/lib/rtkit/rtkit-daemon
redirecting to systemctl
dnsmasq.service - LSB: Starts internet name service masq caching server (DNS)
Loaded: loaded (/etc/init.d/dnsmasq)
Active: inactive (dead)
CGroup: name=systemd:/system/dnsmasq.service
Checking for service syslog: running
redirecting to systemctl
freshclam.service - LSB: virus scanner daemon
Loaded: loaded (/etc/init.d/freshclam)
Active: inactive (dead)
CGroup: name=systemd:/system/freshclam.service
Neither the variables MOUSEDEVICE and MOUSETYPE nor the variable GPM_PARAM
is set in /etc/sysconfig/mouse
Run 'yast mouse' to set up gpm
redirecting to systemctl
haveged.service - Haveged Entropy Gathering Daemon
Loaded: loaded (/lib/systemd/system/haveged.service; enabled)
Active: active (running) since Tue, 12 Mar 2013 19:09:30 +0000; 14h ago
Process: 995 ExecStart=/sbin/haveged -w 1024 -v 1 (code=exited, status=0/SUCCESS)
Main PID: 1058 (haveged)
CGroup: name=systemd:/system/haveged.service
└ 1058 /sbin/haveged -w 1024 -v 1
redirecting to systemctl
joystick.service - LSB: Set up analog joysticks
Loaded: loaded (/etc/init.d/joystick)
Active: inactive (dead)
CGroup: name=systemd:/system/joystick.service
redirecting to systemctl
kbd.service
Loaded: masked (/dev/null)
Active: inactive (dead)
Warning: Unit file changed on disk, 'systemctl --system daemon-reload' recommended.
redirecting to systemctl
kexec.service - Reboot via kexec
Loaded: loaded (/lib/systemd/system/kexec.service; static)
Active: inactive (dead)
CGroup: name=systemd:/system/kexec.service
redirecting to systemctl
ksysguardd.service - LSB: KDE ksysguard daemon
Loaded: loaded (/etc/init.d/ksysguardd)
Active: inactive (dead)
CGroup: name=systemd:/system/ksysguardd.service
redirecting to systemctl
lirc.service - LSB: lirc daemon
Loaded: loaded (/etc/init.d/lirc)
Active: inactive (dead)
CGroup: name=systemd:/system/lirc.service
redirecting to systemctl
mdadmd.service - LSB: mdadmd daemon monitoring MD devices
Loaded: loaded (/etc/init.d/mdadmd)
Active: inactive (dead)
CGroup: name=systemd:/system/mdadmd.service
redirecting to systemctl
microcode.ctl.service - LSB: CPU microcode updater
Loaded: loaded (/etc/init.d/microcode.ctl)
Active: active (exited) since Tue, 12 Mar 2013 19:09:29 +0000; 14h ago
Process: 914 ExecStart=/etc/init.d/microcode.ctl start (code=exited, status=0/SUCCESS)
CGroup: name=systemd:/system/microcode.ctl.service
redirecting to systemctl
multipathd.service - LSB: Starts multipath daemon
Loaded: loaded (/etc/init.d/multipathd)
Active: inactive (dead)
CGroup: name=systemd:/system/multipathd.service
redirecting to systemctl
mysql.service - LSB: Start the MySQL database server
Loaded: loaded (/etc/init.d/mysql)
Active: inactive (dead)
CGroup: name=systemd:/system/mysql.service
redirecting to systemctl
network.service - LSB: Configure the localfs depending network interfaces
Loaded: loaded (/etc/init.d/network)
Active: active (running) since Tue, 12 Mar 2013 19:09:52 +0000; 14h ago
Process: 1061 ExecStart=/etc/init.d/network start (code=exited, status=0/SUCCESS)
CGroup: name=systemd:/system/network.service
├ 1992 /sbin/dhclient6 -6 -cf /var/lib/dhcp6/dhclient6.eth0.conf -lf /var/lib/dhcp6/dhclient6.eth0.lease -pf /var/run/dhclie...
└ 2533 /sbin/dhcpcd --netconfig -L -E -HHH -c /etc/sysconfig/network/scripts/dhcpcd-hook -t 0 -h linux-7sgr eth0
redirecting to systemctl
network-remotefs.service - LSB: Configure the remote-fs depending network interfaces
Loaded: loaded (/etc/init.d/network-remotefs)
Active: active (exited) since Tue, 12 Mar 2013 19:09:52 +0000; 14h ago
Process: 3935 ExecStart=/etc/init.d/network-remotefs start (code=exited, status=0/SUCCESS)
CGroup: name=systemd:/system/network-remotefs.service
redirecting to systemctl
nfs.service - LSB: NFS client services
Loaded: loaded (/etc/init.d/nfs)
Active: inactive (dead)
CGroup: name=systemd:/system/nfs.service
redirecting to systemctl
nmb.service - LSB: Samba NetBIOS naming service over IP
Loaded: loaded (/etc/init.d/nmb)
Active: inactive (dead)
CGroup: name=systemd:/system/nmb.service
redirecting to systemctl
nscd.service - LSB: Start Name Service Cache Daemon
Loaded: loaded (/etc/init.d/nscd)
Active: active (running) since Tue, 12 Mar 2013 19:09:30 +0000; 14h ago
Process: 1008 ExecStart=/etc/init.d/nscd start (code=exited, status=0/SUCCESS)
CGroup: name=systemd:/system/nscd.service
└ 1021 /usr/sbin/nscd
redirecting to systemctl
ntp.service - LSB: Network time protocol daemon (ntpd)
Loaded: loaded (/etc/init.d/ntp)
Active: inactive (dead)
CGroup: name=systemd:/system/ntp.service
redirecting to systemctl
openvpn.service - LSB: OpenVPN tunnel
Loaded: loaded (/etc/init.d/openvpn)
Active: inactive (dead)
CGroup: name=systemd:/system/openvpn.service
redirecting to systemctl
pm-profiler.service - LSB: Script infrastructure to enable/disable certain power management functions
Loaded: loaded (/etc/init.d/pm-profiler)
Active: inactive (dead)
CGroup: name=systemd:/system/pm-profiler.service
redirecting to systemctl
Failed to issue method call: Unknown unit
redirecting to systemctl
powerd.service - LSB: Start the UPS monitoring daemon
Loaded: loaded (/etc/init.d/powerd)
Active: inactive (dead)
CGroup: name=systemd:/system/powerd.service
redirecting to systemctl
systemd-random-seed-load.service - Load Random Seed
Loaded: loaded (/lib/systemd/system/systemd-random-seed-load.service; static)
Active: inactive (dead) since Tue, 12 Mar 2013 19:09:22 +0000; 14h ago
Process: 533 ExecStart=/lib/systemd/systemd-random-seed load (code=exited, status=0/SUCCESS)
CGroup: name=systemd:/system/systemd-random-seed-load.service
redirecting to systemctl
raw.service - LSB: raw devices
Loaded: loaded (/etc/init.d/raw)
Active: inactive (dead)
CGroup: name=systemd:/system/raw.service
redirecting to systemctl
rpcbind.service - LSB: TI-RPC program number mapper
Loaded: loaded (/etc/init.d/rpcbind)
Active: inactive (dead)
CGroup: name=systemd:/system/rpcbind.service
redirecting to systemctl
rpmconfigcheck.service - LSB: rpm config file scan
Loaded: loaded (/etc/init.d/rpmconfigcheck)
Active: inactive (dead)
CGroup: name=systemd:/system/rpmconfigcheck.service
redirecting to systemctl
rsyncd.service - LSB: Start the rsync server daemon
Loaded: loaded (/etc/init.d/rsyncd)
Active: inactive (dead)
CGroup: name=systemd:/system/rsyncd.service
redirecting to systemctl
setserial.service - LSB: Initializes the serial ports
Loaded: loaded (/etc/init.d/setserial)
Active: inactive (dead)
CGroup: name=systemd:/system/setserial.service
/usr/sbin/FOO not installed
redirecting to systemctl
smartd.service - Self Monitoring and Reporting Technology (SMART) Daemon
Loaded: loaded (/lib/systemd/system/smartd.service; disabled)
Active: inactive (dead)
CGroup: name=systemd:/system/smartd.service
redirecting to systemctl
smb.service - LSB: Samba SMB/CIFS file and print server
Loaded: loaded (/etc/init.d/smb)
Active: inactive (dead)
CGroup: name=systemd:/system/smb.service
redirecting to systemctl
smolt.service - LSB: Enables automated checkins with smolt
Loaded: loaded (/etc/init.d/smolt)
Active: inactive (dead)
CGroup: name=systemd:/system/smolt.service
redirecting to systemctl
splash.service - LSB: Splash screen setup
Loaded: loaded (/etc/init.d/splash)
Active: active (exited) since Tue, 12 Mar 2013 19:09:30 +0000; 14h ago
Process: 971 ExecStart=/etc/init.d/splash start (code=exited, status=0/SUCCESS)
CGroup: name=systemd:/system/splash.service
redirecting to systemctl
splash_early.service - LSB: kills animation after network start
Loaded: loaded (/etc/init.d/splash_early)
Active: active (exited) since Tue, 12 Mar 2013 19:09:52 +0000; 14h ago
Process: 3921 ExecStart=/etc/init.d/splash_early start (code=exited, status=0/SUCCESS)
CGroup: name=systemd:/system/splash_early.service
redirecting to systemctl
sshd.service - LSB: Start the sshd daemon
Loaded: loaded (/etc/init.d/sshd)
Active: inactive (dead)
CGroup: name=systemd:/system/sshd.service
redirecting to systemctl
syslog.service - System Logging Service
Loaded: loaded (/lib/systemd/system/syslog.service; enabled)
Active: active (running) since Tue, 12 Mar 2013 19:09:30 +0000; 14h ago
Process: 984 ExecStart=/sbin/rsyslogd -c 5 -f /etc/rsyslog.conf (code=exited, status=0/SUCCESS)
Process: 982 ExecStartPre=/var/run/rsyslog/addsockets (code=exited, status=0/SUCCESS)
Process: 923 ExecStartPre=/bin/systemctl stop systemd-kmsg-syslogd.service (code=exited, status=0/SUCCESS)
Main PID: 988 (rsyslogd)
CGroup: name=systemd:/system/syslog.service
└ 988 /sbin/rsyslogd -c 5 -f /etc/rsyslog.conf
redirecting to systemctl
xdm.service - LSB: X Display Manager
Loaded: loaded (/etc/init.d/xdm)
Active: active (running) since Tue, 12 Mar 2013 19:09:31 +0000; 14h ago
Process: 1068 ExecStart=/etc/init.d/xdm start (code=exited, status=0/SUCCESS)
CGroup: name=systemd:/system/xdm.service
├ 1312 /usr/bin/kdm
└ 1427 /usr/bin/Xorg -br :0 vt7 -nolisten tcp -auth /var/lib/xdm/authdir/authfiles/A:0-FxZ3mb
redirecting to systemctl
xfs.service - LSB: X Font Server
Loaded: loaded (/etc/init.d/xfs)
Active: inactive (dead)
CGroup: name=systemd:/system/xfs.service
redirecting to systemctl
xinetd.service - LSB: Starts the xinet daemon. Be aware that xinetd doesn't start if no service is configured to run under it. To enable xinetd services go to YaST Network Services (xinetd) section.
Loaded: loaded (/etc/init.d/xinetd)
Active: inactive (dead)
CGroup: name=systemd:/system/xinetd.service
redirecting to systemctl
ypbind.service - LSB: Start ypbind (necessary for a NIS client)
Loaded: loaded (/etc/init.d/ypbind)
Active: inactive (dead)
CGroup: name=systemd:/system/ypbind.service
Mozilla Firefox 14.0.1
Code:
Plugins:
- IcedTea-Web Plugin (using IcedTea-Web 1.2 (suse-3.1-i386)) - to execute Java Applets
- PackageKit - for installing Applications (new) - First time I see this plugin, but probably always have been here in the Firefox of Opensuse.
- Shockwave Flash 11.2 r202
- Silverlight Plug-In 4.0.51204.0
Addons:
- Adblock Plus
- All-in-One Sidebar
- Blank Your Monitor + Easy Reading
- DownloadHelper
- Novell Moonlight
- openSUSE Firefox extensions
- Personas
- Wiktionary and Google Translate
The computerA is usually connected (nearly 24/7) and between the normal using (not attack identified) and the notification of modification of the bookmarks (possible attack performed) it was 1 day in between. They didn't need to log in again, because the computer was switched on and only with the screen blacked out.
Router
The router has the possibility to be used by wireless, but is deactivated. The only wires connected directly to the router goes to the computerA. There is no way to be tapped. Impossible to be other users (intruders) from the same LAN.
Only two possibilities:
- tap the wire in some point from our house to the DSLAM (telco's), the wires of the neighborhood.
- attack from outside
Router has a easy password to access, but I think first it has to be in the LAN to can connect, isn't it?
For sure none of the legitimate users access the router.
I have to say, I trust in the legitimate users 120%.
I have changed the physical address to show it here.
Code:
ARP Table
IP address Physical Address Interface Static
192.168.1.33 sf:sf:sf:sf:sf:sf eth0 no
Routing Table
Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 0.0.0.0 ppp-0 1
IP Filter Configuration
IP Filtering: Disabled
Port Forwarding Configuration
Name Protocol External Port Internal IP Internal Port
ppp-0
eMULE TCP 37000 192.168.1.33 37000
eMULE UDP 8000 192.168.1.33 8000
Vitual Server Configuration
DMZ Host
Interface DMZ Host
ppp-0 N/A
ppp-1 N/A
MAC Filtering
Disabled
Quality of Service Configuration
Traffic Name Priority VLAN ID Min-Max IP TOS 802.1p [Source IP] AddressNetmask Start Port End Port [Destination IP] AddressNetmask Start Port End Port
Profile Name: voip
Rule: voip 7 -1--1 Normal Service -1 0.0.0.0 0.0.0.0 0 65535 81.47.224.0 255.255.252.0 0 65535
NMAP in Computer A
sudo nmap -v -sT 192.168.1.0/24
Code:
Starting Nmap 5.61TEST2 ( http://nmap.org ) at 2013-03-13 10:43 WET
Initiating ARP Ping Scan at 10:43
Scanning 33 hosts [1 port/host]
Completed ARP Ping Scan at 10:43, 0.65s elapsed (33 total hosts)
Initiating Parallel DNS resolution of 33 hosts. at 10:43
Completed Parallel DNS resolution of 33 hosts. at 10:43, 0.06s elapsed
Initiating Parallel DNS resolution of 1 host. at 10:43
Completed Parallel DNS resolution of 1 host. at 10:43, 0.06s elapsed
Initiating Connect Scan at 10:43
Scanning 192.168.1.1 [1000 ports]
Discovered open port 80/tcp on 192.168.1.1
Discovered open port 23/tcp on 192.168.1.1
Discovered open port 21/tcp on 192.168.1.1
Discovered open port 53/tcp on 192.168.1.1
Discovered open port 8008/tcp on 192.168.1.1
Discovered open port 2800/tcp on 192.168.1.1
Completed Connect Scan at 10:43, 1.11s elapsed (1000 total ports)
Nmap scan report for 192.168.1.1
Host is up (0.58s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
21/tcp open ftp
23/tcp open telnet
53/tcp open domain
80/tcp open http
2800/tcp open acc-raid
8008/tcp open http
MAC Address: sf:sf:sf:sf:sf:sf (sfsfsfs.)
Initiating ARP Ping Scan at 10:43
Scanning 222 hosts [1 port/host]
Completed ARP Ping Scan at 10:43, 9.24s elapsed (222 total hosts)
Initiating Connect Scan at 10:43
Scanning 192.168.1.33 [1000 ports]
Completed Connect Scan at 10:43, 0.01s elapsed (1000 total ports)
Nmap scan report for 192.168.1.33
Host is up (0.00022s latency).
All 1000 scanned ports on 192.168.1.33 are closed
Read data files from: /usr/bin/../share/nmap
Nmap done: 256 IP addresses (2 hosts up) scanned in 11.26 seconds
Raw packets sent: 509 (14.252KB) | Rcvd: 1 (28B)
sudo nmap -sT -O localhost
Code:
Starting Nmap 5.61TEST2 ( http://nmap.org ) at 2013-03-13 10:47 WET
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000071s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
631/tcp open ipp
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(
....)
Network Distance: 0 hops
OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.63 seconds
I see in port forwarding two ports for emule (really weird... several years without using that program), but then nmap doesn't detect open that ports. Why?
Computer B - The next results is without internet connection. (If I connect ethernet I will need other services like iptables, dhcpcd,... that are not listed now)
Executed without internet connection:
systemctl list-units --full | grep active
Code:
proc-sys-fs-binfmt_misc.automount loaded active waiting Arbitrary Executable File Formats File System Automount Point
sys-devices-pci0000:00-0000:00:01.0-0000:01:00.1-sound-card1.device loaded active plugged /sys/devices/pci0000:00/0000:00:01.0/0000:01:00.1/sound/card1
sys-devices-pci0000:00-0000:00:1b.0-sound-card0.device loaded active plugged /sys/devices/pci0000:00/0000:00:1b.0/sound/card0
sys-devices-pci0000:00-0000:00:1c.0-0000:02:00.0-net-wlan0.device loaded active plugged /sys/devices/pci0000:00/0000:00:1c.0/0000:02:00.0/net/wlan0
sys-devices-pci0000:00-0000:00:1c.3-0000:06:00.0-net-eth0.device loaded active plugged /sys/devices/pci0000:00/0000:00:1c.3/0000:06:00.0/net/eth0
sys-devices-pci0000:00-0000:00:1f.2-ata1-host0-target0:0:0-0:0:0:0-block-sda-sda1.device loaded active plugged ST9500325AS
sys-devices-pci0000:00-0000:00:1f.2-ata1-host0-target0:0:0-0:0:0:0-block-sda-sda2.device loaded active plugged ST9500325AS
sys-devices-pci0000:00-0000:00:1f.2-ata1-host0-target0:0:0-0:0:0:0-block-sda-sda3.device loaded active plugged ST9500325AS
sys-devices-pci0000:00-0000:00:1f.2-ata1-host0-target0:0:0-0:0:0:0-block-sda-sda4.device loaded active plugged ST9500325AS
sys-devices-pci0000:00-0000:00:1f.2-ata1-host0-target0:0:0-0:0:0:0-block-sda-sda5.device loaded active plugged ST9500325AS
sys-devices-pci0000:00-0000:00:1f.2-ata1-host0-target0:0:0-0:0:0:0-block-sda-sda6.device loaded active plugged ST9500325AS
sys-devices-pci0000:00-0000:00:1f.2-ata1-host0-target0:0:0-0:0:0:0-block-sda.device loaded active plugged ST9500325AS
sys-devices-platform-serial8250-tty-ttyS0.device loaded active plugged /sys/devices/platform/serial8250/tty/ttyS0
sys-devices-platform-serial8250-tty-ttyS1.device loaded active plugged /sys/devices/platform/serial8250/tty/ttyS1
sys-devices-platform-serial8250-tty-ttyS2.device loaded active plugged /sys/devices/platform/serial8250/tty/ttyS2
sys-devices-platform-serial8250-tty-ttyS3.device loaded active plugged /sys/devices/platform/serial8250/tty/ttyS3
sys-module-configfs.device loaded active plugged /sys/module/configfs
sys-module-fuse.device loaded active plugged /sys/module/fuse
sys-subsystem-net-devices-eth0.device loaded active plugged /sys/subsystem/net/devices/eth0
sys-subsystem-net-devices-wlan0.device loaded active plugged /sys/subsystem/net/devices/wlan0
-.mount loaded active mounted /
dev-hugepages.mount loaded active mounted Huge Pages File System
dev-mqueue.mount loaded active mounted POSIX Message Queue File System
media-Datos.mount loaded active mounted /media/Datos
sys-fs-fuse-connections.mount loaded active mounted FUSE Control File System
sys-kernel-config.mount loaded active mounted Configuration File System
sys-kernel-debug.mount loaded active mounted Debug File System
tmp.mount loaded active mounted /tmp
systemd-ask-password-console.path loaded active waiting Dispatch Password Requests to Console Directory Watch
systemd-ask-password-wall.path loaded active waiting Forward Password Requests to Wall Directory Watch
cronie.service loaded active running Periodic Command Scheduler
dbus.service loaded active running D-Bus System Message Bus
getty@tty1.service loaded active running Getty on tty1
iptables.service loaded active exited Packet Filtering Framework
kdm.service loaded active running K Display Manager
lm_sensors.service loaded active exited Initialize hardware monitoring sensors
polkit.service loaded active running Authorization Manager
rc-local.service loaded active exited /etc/rc.local Compatibility
syslog-ng.service loaded active running System Logger Daemon
systemd-journald.service loaded active running Journal Service
systemd-logind.service loaded active running Login Service
systemd-modules-load.service loaded active exited Load Kernel Modules
systemd-remount-fs.service loaded active exited Remount Root and Kernel File Systems
systemd-sysctl.service loaded active exited Apply Kernel Variables
systemd-tmpfiles-setup.service loaded active exited Recreate Volatile Files and Directories
systemd-udev-trigger.service loaded active exited udev Coldplug all Devices
systemd-udevd.service loaded active running udev Kernel Device Manager
systemd-user-sessions.service loaded active exited Permit User Sessions
systemd-vconsole-setup.service loaded active exited Setup Virtual Console
udisks2.service loaded active running Disk Manager
upower.service loaded active running Daemon for power management
dbus.socket loaded active running D-Bus System Message Bus Socket
dmeventd.socket loaded active listening Device-mapper event daemon FIFOs
lvmetad.socket loaded active listening LVM2 metadata daemon socket
syslog.socket loaded active running Syslog Socket
systemd-initctl.socket loaded active listening /dev/initctl Compatibility Named Pipe
systemd-journald.socket loaded active running Journal Socket
systemd-shutdownd.socket loaded active listening Delayed Shutdown Socket
systemd-udevd-control.socket loaded active listening udev Control Socket
systemd-udevd-kernel.socket loaded active running udev Kernel Socket
dev-sda6.swap loaded active active /dev/sda6
arch-daemons.target loaded active active Arch Daemons
basic.target loaded active active Basic System
cryptsetup.target loaded active active Encrypted Volumes
getty.target loaded active active Login Prompts
graphical.target loaded active active Graphical Interface
local-fs-pre.target loaded active active Local File Systems (Pre)
local-fs.target loaded active active Local File Systems
multi-user.target loaded active active Multi-User
remote-fs.target loaded active active Remote File Systems
sockets.target loaded active active Sockets
sound.target loaded active active Sound Card
swap.target loaded active active Swap
sysinit.target loaded active active System Initialization
syslog.target loaded active active Syslog
systemd-tmpfiles-clean.timer loaded active waiting Daily Cleanup of Temporary Directories
76 loaded units listed. Pass --all to see loaded but inactive units, too.
sudo nmap -v -sT localhost
Code:
Starting Nmap 6.25 ( http://nmap.org ) at 2013-03-13 13:01 CET
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Initiating Connect Scan at 13:01
Scanning localhost (127.0.0.1) [1000 ports]
Completed Connect Scan at 13:01, 0.03s elapsed (1000 total ports)
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00058s latency).
Other addresses for localhost (not scanned): 127.0.0.1
rDNS record for 127.0.0.1: localhost.localdomain
All 1000 scanned ports on localhost (127.0.0.1) are closed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds
Raw packets sent: 0 (0B) | Rcvd: 0 (0B)
[Connecting to the LAN and therefore to Internet]
If I try to connect to internet now, it doesn't work. I can do sudo ifconfig eth0 up, but sudo dhcpcd eth0 doesn't work.
It says: eth0 sending IPv6 Router Solicitation.... finally no IPv6 Routers available. Timed out. I know that it has to be IPv4, but yesterday it worked, today not.
If I try to do ping 192.168.1.1 it says: network is unreachable.
I have to edit /etc/dhcpcd.conf manually and modify this lines:
#noipv4ll
noipv6rs
Also, modify the /etc/hosts and comment ::1 line
But as I said, i didn't modified them to the inverse, and yesterday (first time I connect computerB to the LAN of computerA it worked correctly the dhcpcd for ipv4)
As I see, still not network connection... at least dhcpcd has assigned me an ip, etc, but it is not the normal in range 192.168.1.x (as the router 192.168.1.1 and the other pc 192.168.1.33)
but 169.254.67.213, netmask 255.255.0.0 and broadcast 169.254.255.255
Something weird... and of course, still network is unreachable if I try to do ping to google or the router.
I have to reset manually the router to can work properly from the computerB.
Anormal behaviour
The point is after I connect to the Internet (ping that works) the computer get slowly, emacs doesn't work, if I try to open another terminal it says KDEInit could not launch '/usr/bin/konsole'
So, something goes wrong.
Updated almost every month. I do it just by pacman -Syu
I don't have really idea if appear errors, because there are hundreds of programs and packages and I'm quite newbie with Linux.
When I believed that the computerA was on risk because of that, I checked the ports (iptables, firewall) of my ArchLinux, and it was completely open in the rules, is because I changed to systemd and create the Simple Stateful Firewall for iptables of the ComputerB. But It wasn't in the same LAN, so no risk of intruder in that time.
NMAP from ComputerA to ComputerB
Code:
Initiating Connect Scan at 13:51
Scanning 192.168.1.34 [1000 ports]
Completed Connect Scan at 13:52, 50.80s elapsed (1000 total ports)
Nmap scan report for 192.168.1.34
Host is up (0.98s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE
80/tcp closed http
MAC Address: xf:xf:xf:xf:xf:xf (xfxfxf.)
Read data files from: /usr/bin/../share/nmap
Nmap done: 256 IP addresses (3 hosts up) scanned in 62.24 seconds
Raw packets sent: 508 (14.224KB) | Rcvd: 2 (56B)
[..Continue]
I have read now the private message, because I was trying to avoid even go inside of one of the emails because maybe the system is compromised and my passwords also by some sort of keylogger.
So, the summary of the before posts regarding to your questions:
- computerA (which I think was compromised two-three weeks ago) - OpenSUSE 12.1 - updated probably 6 months ago (but if there is a auto-updating/upgrading, I don't know yet)
- computerB (which I connected to the LAN for the first time yesterday) - ArchLinux 3.7 - updated monthly aprox.
- None of them are servers, is desktop computers for normal use. Therefore, no plesk, cpanel (I needed to search to know what was xD)
- The processes are listed above.
- Network applications that runs in both system also written above.
The file of the before line of sh commands is really large. I will send you as a private message, and if you prefer I can try to post also here in several posts.
- I copy the /var/log files in a flash drive. I'm writting from computerA (remain connected), but computerB is isolated (really dangerous if an intruder destroys my files), but this morning I connected to internet as I posted before.. with weird behaviours.
I have installed logwatch in openSUSE (computerA) and I have run now the command, but I changed it a little because some options are not in --help, I mean: "--save"
This is what I executed:
sudo /usr/sbin/logwatch --detail High --service All --range All --archives --numeric --logfile logwatch.log >> logwatch.log
This is a 16000-lines file.
The output.log of the before sh line is 51000 lines.
I have taken also the output.log from the computerB. (20000 lines) - but I don't remember If I took it from root.
I will have a look to the CERT Intruder Detection Checklist in the next hours.
[Second post answer]
Yep, I also think that there are lot of garbage not really relevant (old viruses and cracks.. not used for a long time).
For these months computerA was the only computer connected to the router, that goes directly to the neighborhood line towards the DSLAM.
The computerB was connected to the router for the first time yesterday, when I was also worried to be "infected" this computer from the computerA.
The second time that I have connected ComputerB was this morning to make the tests that I posted above. Now it remains disconnected to avoid more problems.
It has been switched off just yesterday night, now I preserve switched on.
Markers = Bookmarks. I have asked the two users of the computerA and they know how to add/delete bookmarks, and they are pretty sure they didn't modify them.
Not only that, imagine that the markers that you usually check is the main webpages of your company, lets call X Company. Ok, the modification of the markers were the deletion of the X Company webpage links, and the add of the Z Company links, that in turn are "enemies,competency,opposite research groups" of the company X. It is because I thought was some sort of "threat".
I'm going to check the Mozilla support page now.
About the dhclient.conf, I can imagine that is because of the weird behaviour of yesterday in the computerB when I connected for the first time.
Ok, there is no /etc/dhcp/dhclient.conf but there is the /etc/dhcpcd.conf with this info:
As I said, this morning to can get the Internet connection (and yesterday when I executed sudo dhcpcd eth0 it worked properly), I needed to change:
"noipv4ll" to "#noipv4ll"
and i have added also "noipv6rs"
The thing that you say about the hostname is one thing that I checked yesterday when I saw the "unknown00245462846" and in /etc/hosts it was the normal value.
And because today I have switch on the computer, the value "localhost" was after @ in the prompt, so, the normal value.
I cannot check now what was yesterday in hostnames, because today it was restored. Now is "localhost".
I don't understand this line: " Do you have a request line with host-name in it? If so, this is probably what happened. "
But if i do: $ hostname
I get still:
unknown00245462846
So, somewhere must be stored.
Ok, so maybe this:
Quote:
Looking at the log files, you can see where your system obtained a DHCP lease. Immediatly following this part of your KDE system crashed, "konsole[1156]: segfault at 84 ip b73128d4" Note the pid number 1156. Pids in this range are missing in your process list, but are immediately followed by /usr/bin/X :0 vt7 -nolisten tcp -auth /var/run/xauth/A:0-WnL9Aa, which looks like a restart of X, fitting with the theory that changing hostname conflicts with the display manager. The pause you saw was likely this crashing, restarting, and trying to generate a core dump.
Is because it got freeze and like today with the problems in the whole KDE, no possibility to use terminal (just the Yakuake, not new terminals), not new applications like emacs, and appear that errors.
But still is really weird, never happened before since I am using ArchLinux (almost 7 months).
Really thank you for all. I am really surprised with your altruistic labour. Thanks again!
OK! I tried to attached the three files here and are larger than 256kB. So, I send an email to you with the zip file (710kB) with the three files inside.
Last edited by Zzipo; 03-13-2013 at 01:06 PM.
Reason: Attachment
I responded to you via PM yesterday. In doing so, you received my email contact information. It may be better to send the files directly to me as a .zip file instead of trying to break them up into several 'code' sections. Alternatively, if you click the 'go advanced' button at the bottom of the text window, you will get an option to include an attachment. A third option is to use a 3rd party resource like dropbox to post the files to a common area.
Normally, I agree with posting information in the forums rather than taking it off line into private areas because I believe the data, analysis, and record thereof serve the greater good of everyone. In this case, I am also weighing this against the needs to help you identify the cause of your mystery.
Edit: I posted this while you were posting your last entry above - hence the overlap on the email statements.
Here is some follow up for you.
The good news is that I can't see any indication of aberrant processes in the tree, extra copies of bash, or other signs of an active intrusion in your system. Your not running server processes and you have a firewall up. There are no indications of users other than userA, there are no indications of attempts to SU to root by this user, only kdesud, which is used for privileged execution. The network connections don't show any indication of unexpected active connections or processes listening for connections.
Now here is what I do see. Your Konsole is crashing a lot, which is strange. You also have A LOT of files in /tmp. It also looks like your getting pinged on port 6881, which is probably Azureus Bit Torrent, though this is being blocked by your firewall. Since Suse is RPM based you should be able to use the rpm verify (RPM -vA) to see if any system files have been changed compared to your package. I would pay particular attention to konsole since it is crashing and consider running an md5sum against the binary and then comparing to the package version (you should be able to locate it from the rpm.pbone.net. Next, I would run a thorough search of the home directory. In particular look for hidden files and executable files. Look for any files that have been modified or created since slightly before your suspected issue. You should be able to use the find command for this purpose with an example being in the CERT check list. Next, I would run the 'file' command on those temp files to see what type of file they are. In particular see if any of them are executable and also look for executable permissions. I would also double check and java applications and look cautiously at any firefox plug ins.
It also looks like you might have a mix of kde3 and kde4 as seen in the parameter list of the programs. I am wondering if you have some form of incompatibility that is causing crashes.
Finally, I would like to ask what was the nature of the changes to the markers? You mentioned it being in your language, but can you elaborate? This might be helpful to understand what transpired. Do you think it is possible that this is a form of corruption rather than malicious activity?
Any follow up to this? As I mentioned above, there doesn't seem to be any indication of a root level intrusion, nor was your system in a position where such an event would have been likely. You still need to follow up with a thorough investigation of your user space.
Please let us know if you desire any help with this, assuming you are still interested.
Sorry to answer so late, I read the other day but I was out this weekend.
I have read the CERT intrusion checklist, but is from 1997, so, I was searching for an updated one... with no results. So, I will do it now with that one.
I suppose now that all the info is about the computerA (openSUSE), and not with computerB (arch).
I have done:
sudo rpm -qVa
Code:
5S.T..... /var/spool/atjobs/.SEQ
5S.T..... c /etc/pulse/client.conf
5S.T..... c /etc/xinetd.d/vnc
.......M. /etc/cups
.......M. /var/lock
.....U... /var/cache/cups
5S.T..... c /etc/sysconfig/SuSEfirewall2
5S.T..... c /etc/default/passwd
5S.T..... c /etc/postfix/main.cf
5S.T..... c /etc/postfix/master.cf
.....U... /var/spool/postfix
...T..... /usr/lib/gconv/gconv-modules.cache
5S.T..... c /etc/fonts/suse-font-dirs.conf
5S.T..... c /usr/lib/jvm/java-1.6.0-openjdk-1.6.0/jre/lib/fontconfig.SuSE.properties
...T..... c /etc/YaST2/control.xml
5..T..... c /usr/share/kde4/config/kdm/kdmrc
"needed/missed" /var/run/systemtap
5S.T..... c /etc/sane.d/dll.conf
5S.T..... /usr/share/sane/descriptions-external/epkowa.desc
5S.T..... c /etc/maven/maven2-depmap.xml
5S.T..... c /usr/share/fonts/encodings/encodings.dir
5S.T..... c /usr/share/fonts/misc/fonts.dir
..L...... c /etc/pam.d/common-account
..L...... c /etc/pam.d/common-auth
..L...... c /etc/pam.d/common-password
..L...... c /etc/pam.d/common-session
......G.. /etc/cups/cupsd.conf.default
5S.T..... c /etc/pam.d/login
...T..... c /usr/share/fonts/100dpi/fonts.dir
5S.T..... c /usr/share/fonts/Speedo/fonts.dir
5S.T..... c /usr/share/fonts/Speedo/fonts.scale
5S.T..... c /usr/share/fonts/Type1/fonts.dir
5S.T..... c /usr/share/fonts/Type1/fonts.scale
...T..... c /usr/share/fonts/cyrillic/fonts.dir
5S.T..... c /usr/share/fonts/truetype/fonts.dir
5S.T..... c /usr/share/fonts/truetype/fonts.scale
5S.T..... c /usr/lib/libreoffice/share/config/javasettingsunopkginstall.xml
......G.. /usr/lib/kde4/libexec/kcheckpass
"Dependencies not satisfied for" nautilus-dropbox-1.4.0-1.fc10.i386:
nautilus-extensions >= 2.16.0 "is needed for (install)" nautilus-dropbox-1.4.0-1.fc10.i386
5..T..... c /etc/inittab
falta /var/cache/libx11/compose/l4_024_313cb605_00280cc0
5S.T...M. /usr/share/applications/defaults.list
5S.T..... c /etc/splashy/config.xml
..L...... /usr/bin/netcat
..L...... d /usr/share/man/man1/netcat.1.gz
If I try to check the integrity differences between konsole binary installed and konsole from repositories, I have some problems.
I do:
Code:
userA@compA:~> md5sum /usr/bin/konsole
e49e909be3987f03c12afdfe54be363b /usr/bin/konsole
userA@compA:~> rpm -q konsole
konsole-4.7.2-2.3.1.i586
userA@compA:~> zypper search -s konsole
The repository 'Updates for openSUSE 12.1 12.1-1.4' is not updated. You can execute 'zypper refresh' as superuser (root) to update it.
Error in the downloading (curl) of 'http://opensuse-guide.org/repo/12.1/repodata/repomd.xml':
Error code: User abort
Error message: connect() timed out!
¿Cancel, Retry, Ignore? [c/r/i/?] (c):
I try to access from the Web to that file, and it doesn't load. I think because it is old.
If I do "zypper refresh" probably I will replace the repositories, and I will avoid the previous versions, but I don't know really, so I didn't execute that.
I don't know how to check the m5sum of the same version of konsole that I have installed in my computer.
So, I have searched on the Web, found the link that you say, and then download one of the ftp links... because I don't see any md5 checksum there. http://rpm.pbone.net/index.php3/stat....i586.rpm.html
I download the file, open the rpm, and then, extract and do the md5sum with the file "konsole". (I have open the rpm with Ark, then as Tar file, and konsole is inside of the usr - bin - folder hierarchy of the file.)
So, we can see that the numbers are the same. I don't know how could be the easy way to do this process to check these two things.
I see in "updates of openSUSE" several updates, some of them in the category "Security". But well, I am planning to format this system when I finish with this.
I will do it now the find command in home folder.
About the markers:
I'm pretty sure (100%) the users didn't modify that. And if is in some weird/error manipulation of the user interface of Firefox, is not so easy. At least "Bookmarks - Toolbar - FolderX - Right Button - Delete" twice times, and then add another two.
One or two clicks in a random way, could provoque something, but no so many things, movements.
What happen really [context].
Imagine that there are two companies, A and B. They are "competency" in research programs, some sort of "enemies". (There are also other companies that work in the same area).
users of computerA work for company A. They usually go to the website of the company A and another websites related to their job, that are stored in Mozilla Firefox bookmarks, inside a folder.
One day, users of the computerA see that two of the whole group of links in the same folder (website of the company A and another more related to their job) are modified with the website of the company B and another website related to the job.
the user thinks that it is a joke of the userB, deletes both links and adds again the original links in that folder.
The website of the company A and the other website original related to their job work that day normally.
sudo find / -user root -perm -4000 -print
Code:
/opt/kde3/bin/kpac_dhcp_helper
/opt/kde3/bin/start_kdeinit
/lib/dbus-1/dbus-daemon-launch-helper
/sbin/mount.nfs
/sbin/unix_chkpwd
/sbin/unix2_chkpwd
/bin/mount
/bin/su
/bin/eject
/bin/ping
/bin/ping6
/bin/umount
/usr/lib/polkit-1/polkit-agent-helper-1
/usr/lib/pt_chown
/usr/lib/kde4/libexec/kcheckpass
/usr/lib/kde4/libexec/start_kdeinit
/usr/lib/chrome_sandbox
/usr/sbin/zypp-refresh-wrapper
/usr/bin/chage
/usr/bin/chfn
/usr/bin/fusermount
/usr/bin/at
/usr/bin/passwd
/usr/bin/expiry
/usr/bin/sudo
/usr/bin/pkexec
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/crontab
find: `/home/userA/.gvfs': Denegate permission
find: warning: not following the symbolic link `/windows/ussr/Program Files'
find: warning: not following the symbolic link `/windows/ussr/Users/Default/AppData/Local/Application Data'
find: warning: not following the symbolic link `/windows/ussr/Users/Default/Application Data'
[several like the three above from the /windows location]
find: `/proc/8237/task/8237/fd/4': File or directory doesn't exist
find: `/proc/8237/task/8237/fdinfo/4': File or directory doesn't exist
find: `/proc/8237/fd/4': File or directory doesn't exist
find: `/proc/8237/fdinfo/4': File or directory doesn't exist
sudo find / -group kmem -perm -2000 -print
Code:
find: `/home/userA/.gvfs': Denegate permission
find: warning: not following the symbolic link `/windows/ussr/Program Files'
find: warning: not following the symbolic link `/windows/ussr/Documents and Settings'
find: warning: not following the symbolic link `/windows/ussr/Program Files/Common Files'
[several like the three above]
find: `/proc/8481/task/8481/fd/4': File or directory doesn't exist
find: `/proc/8481/task/8481/fdinfo/4': File or directory doesn't exist
find: `/proc/8481/fd/4': File or directory doesn't exist
find: `/proc/8481/fdinfo/4': File or directory doesn't exist
Point 3 of the checklist:
- So, should I trust on the md5sum program? If an intruder can modify sum tools, maybe can modify also md5sum program, and when I am now checking the sums they are incorrect.
- It says to check "login, su, telnet, netstat, ifconfig, ls, find, du, df, libc, sync,any binaries referenced in /etc/inetd.conf", but I have to do the same process as before:
And then search for that package on the Web, download, extract and do the checksum...
Any other easier/faster way?
- inetd.conf doesn't exist. But I have found xinetd.conf, but it doesn't show any binary program:
Code:
#
# xinetd.conf
#
# Copyright (c) 1998-2001 SuSE GmbH Nuernberg, Germany.
# Copyright (c) 2002 SuSE Linux AG, Nuernberg, Germany.
#
defaults
{
log_type = FILE /var/log/xinetd.log
log_on_success = HOST EXIT DURATION
log_on_failure = HOST ATTEMPT
# only_from = localhost
instances = 30
cps = 50 10
#
# The specification of an interface is interesting, if we are on a firewall.
# For example, if you only want to provide services from an internal
# network interface, you may specify your internal interfaces IP-Address.
#
# interface = 127.0.0.1
}
Thank you for the follow up. I will say that overall, in terms of handling a security incident investigation you've done remarkably well!
A few things in response to your latest post.
There are two ways to verify system files. The first, and easier way is via the RPM tool, which you used first. Sometimes this doesn't always pan out, as you discovered with Konsole and you used the best procedure of finding a known version of the file and then manually compared it's footprint. In your case, console looks clean.
This brings us to to the list of file differences. Files in /var tend to change and having them different than the original package version is not really surprising. Sometimes they are worth checking out. In your case, you have modifications to the AT jobs which are like cron tasks, in that one can say "at time X do something" What's more is that you have a hidden file, as shown by the . infront of the file name. I would investigate this file carefully as it may be a clue.
Other files, such as those in /etc, like those marked with a 'c' are configuration files. These too are likely to change relative to the package defaults. You might want to take a look through the list and see if any of them strike you as unexpected. Pay particular attention to the pam.d changes as these involve the user authentication system.
Another one that jumps out at me is /usr/lib/kde4/libexec/kcheckpass, which again is associated with user logins.
The one that really bugs me, is netcat. Netcat can be used to redirect network connections. The system binary file and the manual page for it have both been replaced with links. You should definitely investigate this!
Thank you for the explanation as to the nature of the change. It certainly puts things into perspective and I agree with you it doesn't look accidental, however, it also isn't something that I think would be characteristic of a random web intruder either.
The above is a list of things for you to look into. Putting everything together, I am suspicious of a possible attempt at espionage of some form, possibly involving user credentials or information gathering, and only an investigation into the nature of these changes will tell you.
I do highly recommend that you continue this process before you reformat and wipe the system. If you find that you do have something of this nature going on, a rewipe won't fully address the problem AND you will want / need the evidence to prove your point.
...additionally I would like to point out that there has been a lot of talk about "markers" but no actual data has been shown: depending on the book mark format there may be at least one date attached to a bookmark. Also backups aren't mentioned: if you make daily backups then it would be easier to pinpoint the time of change and what actually changed. If daily backups include the whole users browser directory backup this may also include user browsing history which may or may not reveal more clues.
*Personally I would not waste time trying to guess, speculate or formulate hypotheses. Entertaining as that may be, letting the facts (if any) speak for themselves would be "better" IMHO.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.